1
00:00:00,420 --> 00:00:05,730
Another type of Vlan hopping attack is known as double tagging attack.

2
00:00:06,800 --> 00:00:12,170
This type of attack takes advantage of the way that hardware on most switches operates.

3
00:00:12,410 --> 00:00:20,660
Most switches perform only one level of 802 point 1QD encapsulation, which allows an attacker to embed

4
00:00:20,690 --> 00:00:24,440
a hidden 800 and 21Q tag inside the frame.

5
00:00:24,890 --> 00:00:32,720
This tag allows the frame to be forwarded to a Vlan that the original 821 Q tag did not specify.

6
00:00:33,200 --> 00:00:40,430
An important characteristic of the double tagging Vlan hopping attack is that it works even if trunk

7
00:00:40,430 --> 00:00:48,500
ports are disabled because a host typically sends a frame on a segment that is not a trunk link.

8
00:00:51,360 --> 00:00:56,910
So let's see how the double tagging Vlan hopping attack is performed step by step.

9
00:00:58,320 --> 00:01:03,150
The attacker sends a double tagged 802.11 frame to the switch.

10
00:01:03,950 --> 00:01:10,280
The outer header has the Vlan tag of the attacker, which is the same as a native Vlan of the trunk

11
00:01:10,280 --> 00:01:10,820
port.

12
00:01:12,370 --> 00:01:19,330
Normally a switch port configured as a trunk port sends and receives Vlan tagged ethernet frames.

13
00:01:19,810 --> 00:01:24,010
Native Vlan is the only Vlan, which is not tagged in a trunk.

14
00:01:24,010 --> 00:01:28,840
In other words, native Vlan frames are transmitted untagged.

15
00:01:29,920 --> 00:01:35,830
The assumption here is that the switch processes, the frame received from the attacker as if it were

16
00:01:35,830 --> 00:01:37,120
on a trunk board.

17
00:01:37,450 --> 00:01:41,290
In this example, the native Vlan is Vlan one.

18
00:01:41,410 --> 00:01:43,330
The inner tag is the victim.

19
00:01:43,330 --> 00:01:43,870
Vlan.

20
00:01:43,870 --> 00:01:46,240
In this case it's Vlan 20.

21
00:01:47,460 --> 00:01:53,730
The frame arrives on the switch, which looks at the first four byte 802.1 Q tag.

22
00:01:54,330 --> 00:01:59,460
The switch sees that the frame is destined for Vlan one, which is a native Vlan.

23
00:02:00,740 --> 00:02:07,670
The switch forwards the packet out on all Vlan one ports after stripping the Vlan one tag.

24
00:02:08,380 --> 00:02:09,580
On the trunk port.

25
00:02:09,759 --> 00:02:16,630
The Vlan one tag is stripped and the packet is not re tagged because it's part of the native Vlan.

26
00:02:16,900 --> 00:02:23,860
At this point the Vlan 20 tag is still intact and it has not been inspected by the first switch.

27
00:02:25,200 --> 00:02:32,250
The second switch looks only at the inner 802.1 tag that the attacker sent and sees that the frame is

28
00:02:32,250 --> 00:02:33,600
destined for Vlan 20.

29
00:02:33,630 --> 00:02:34,860
The target vlan.

30
00:02:35,480 --> 00:02:41,630
The second switch sends the frame on to the victim port or floods it, depending on whether there is

31
00:02:41,630 --> 00:02:44,870
an existing Mac address table entry for the victim's host.

32
00:02:45,980 --> 00:02:53,060
So the best approach to mitigating double tagging attacks is to ensure that the native Vlan of the trunk

33
00:02:53,060 --> 00:02:57,530
ports is different from the Vlan of any user ports.

34
00:02:57,590 --> 00:02:58,160
Right.

35
00:02:58,190 --> 00:03:02,420
In other words, do not let the users use the native Vlan.

36
00:03:02,690 --> 00:03:10,190
In fact, it's considered a security best practice to use a fixed Vlan that is distinct from all user

37
00:03:10,190 --> 00:03:15,980
VLANs in the switch network as the native Vlan for all 802.1 trunks.